b"TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                     An Independent Risk Assessment of\n                Facility Physical Security Was Not Performed\n                             in Compliance With\n                           Contract Requirements\n\n\n\n                                           July 25, 2012\n\n                              Reference Number: 2012-10-075\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n E-mail Address | TIGTACommunications@tigta.treas.gov\n Website        | http://www.tigta.gov\n\x0c                                                    HIGHLIGHTS\n\n\nAN INDEPENDENT RISK ASSESSMENT                          Assessment contract in compliance with relevant\nOF FACILITY PHYSICAL SECURITY WAS                       acquisition regulations and guidance. IRS\nNOT PERFORMED IN COMPLIANCE                             management and Physical Security and\nWITH CONTRACT REQUIREMENTS                              Emergency Preparedness program office\n                                                        employees, without the knowledge of the\n                                                        contracting officer, instructed the contractor to\nHighlights                                              perform services that were lesser in scope than\n                                                        required by the original contract. In addition, the\n                                                        contractor indicated that the Physical Security\nFinal Report issued on July 25, 2012                    and Emergency Preparedness program office\n                                                        did not provide the contractor access to all of the\nHighlights of Reference Number: 2012-10-075             information necessary to complete a report\nto the Internal Revenue Service Deputy                  outlining the IRS\xe2\x80\x99s overall security posture. As a\nCommissioner for Operations Support.                    result of these actions, an independent risk\nIMPACT ON TAXPAYERS                                     assessment of facility physical security was not\n                                                        performed in compliance with contract\nThe IRS has an obligation to protect the Federal        requirements. In fact, the contractor declined to\nGovernment\xe2\x80\x99s tax administration system, which           provide a validation of the acceptability of the\nincludes its 100,000 employees stationed at             IRS\xe2\x80\x99s security posture.\nmore than 700 facilities, taxpayer information,\nand the taxpayers who visit the IRS throughout          WHAT TIGTA RECOMMENDED\nthe United States. Our review identified                TIGTA recommended that the Deputy\nsignificant deficiencies in the administration of       Commissioner for Operations Support\nan IRS physical security risk assessment                1) reemphasize to IRS management officials,\ncontract. As a result, the contractor was unable        program office employees, and contracting\nto conduct an in-depth, independent assessment          officer\xe2\x80\x99s technical representatives that\nregarding the security posture of IRS facilities,       contracting officers must be promptly notified of\nas required by the contract. When contracts are         any changes to contract requirements, and\nnot properly administered, the IRS may not              2) ensure contracting officer\xe2\x80\x99s technical\nreceive the desired contract outcomes and the           representatives perform their specific\nbest return on the taxpayers' dollar.                   responsibilities including: advising the\nWHY TIGTA DID THE AUDIT                                 contracting officer when changes in the work\n                                                        occur, reviewing contractor vouchers and\nThis audit was initiated because effective risk         invoices to ensure they are accurate,\nassessments are the primary method used to              determining whether services are delivered in\nidentify security weaknesses and allow steps to         conformance with the requirements of the\nbe taken to improve overall security at IRS             contract, and following the contract\xe2\x80\x99s quality\nfacilities. The objective of this review was to         assurance plan.\ndetermine whether the IRS administered the\nPhysical Security Risk Assessment contract in           In their response, IRS management agreed with\ncompliance with acquisition regulations and             our recommendations and plans to issue a\nguidance to ensure the IRS received the                 memorandum reemphasizing that contracting\ncontract deliverables in accordance with the            officers must be promptly notified of any\nterms and conditions of the contract.                   changes to contract requirements so required\n                                                        modifications can be timely executed. Also, the\nWHAT TIGTA FOUND                                        IRS plans to issue a memorandum to\n                                                        contracting officer\xe2\x80\x99s technical representatives\nTIGTA determined that the IRS did not receive           outlining their roles and responsibilities.\nan in-depth, independent assessment regarding\nthe security posture of its facilities as required by\nthe contract. In addition, the IRS did not\nadminister the Physical Security Risk\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                            July 25, 2012\n\n\n MEMORANDUM FOR DEPUTY COMMISSIONER FOR OPERATIONS SUPPORT\n\n\n FROM:                       Michael E. McKenney\n                             Acting Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 An Independent Risk Assessment of Facility\n                             Physical Security Was Not Performed in Compliance With Contract\n                             Requirements (Audit # 201110025)\n\n This report presents the results of our review on the Independent Risk Assessment of Facility\n Physical Security. The overall objective of this review was to determine whether the Internal\n Revenue Service (IRS) administered the Physical Security Risk Assessment contract1 in\n compliance with applicable Federal, Department of the Treasury, and IRS acquisition regulations\n and guidance to ensure the IRS received the contract deliverables in accordance with the terms\n and conditions of the contract. This review is included in our Fiscal Year 2012 Annual Audit\n Plan and addresses the major management challenge of Fraudulent Claims and Improper\n Payments.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix V.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. Please contact me at (202) 622-6510 if you have questions or\n Russell P. Martin, Acting Assistant Inspector General for Audit (Management Services and\n Exempt Organizations), at (202) 622-8500.\n\n\n\n\n 1\n     TIRNO-10-C-00041.\n\x0c                      An Independent Risk Assessment of Facility Physical Security\n                      Was Not Performed in Compliance With Contract Requirements\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 4\n          An Independent Assessment of the Adequacy of Facility Security\n          Was Not Performed in Compliance With the Contract ................................ Page 4\n          Significant Deficiencies Were Identified in the Administration\n          of the Physical Security Risk Assessment Contract ..................................... Page 9\n                    Recommendation 1:........................................................ Page 14\n\n                    Recommendation 2:........................................................ Page 15\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 16\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 19\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 20\n          Appendix IV \xe2\x80\x93 Outcome Measure ................................................................ Page 21\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ....................... Page 23\n\x0c       An Independent Risk Assessment of Facility Physical Security\n       Was Not Performed in Compliance With Contract Requirements\n\n\n\n\n                      Abbreviations\n\nCOTR            Contracting Officer\xe2\x80\x99s Technical Representative\nFAR             Federal Acquisition Regulation\nIRS             Internal Revenue Service\nPSEP            Physical Security and Emergency Preparedness\n\x0c                   An Independent Risk Assessment of Facility Physical Security\n                   Was Not Performed in Compliance With Contract Requirements\n\n\n\n\n                                             Background\n\nThe Internal Revenue Service (IRS) has an obligation to protect the Federal Government\xe2\x80\x99s\ntax administration system, which includes its 100,000 employees stationed at more than\n700 facilities, taxpayer information, and the taxpayers who visit the IRS throughout the\nUnited States. In 1995, the President issued Executive Order 12977, Interagency Security\nCommittee,1 which mandated that Federal agencies assess the vulnerability of Federal facilities.\nIn compliance with Executive Order 12977, the Department of the Treasury requires that risk\nassessments be conducted at IRS facilities in order to assess security risks from internal or\nexternal threats, and to identify the need for security counter measures.2 Within the IRS, these\nfacility risk assessments are the responsibility of the Office of Physical Security and Emergency\nPreparedness (PSEP), in the Agency-Wide Shared Services.\nOn February 18, 2010, a single-engine airplane was intentionally flown into an IRS building in\nAustin, Texas, killing the pilot and an IRS employee, and injuring 13 others (hereafter referred to\nas the Austin incident). In response to the Austin incident, the IRS contracted with a consulting\nfirm to conduct a limited study of the IRS\xe2\x80\x99s security posture and to identify gaps in IRS security\npolicy, program administration, management, or practices. The consulting firm\xe2\x80\x99s April 2010\nreport included a number of areas for improvements. These areas included:\n    \xef\x82\xb7    Ensuring the staffing of risk assessments and compliance reviews promote independence.\n         The consultant recommended that the IRS develop an approach for security specialists to\n         assess facilities not within their purview and/or consider developing an independent\n         assessment or review capability, including leveraging external resources.\n    \xef\x82\xb7    Establishing a centralized process to monitor and track employee training requirements\n         and security-related certifications. The consultant recommended that the IRS maintain a\n         tracking process of training and certification data and prioritize staff training nationwide.\n    \xef\x82\xb7    Ensuring risk assessments are fully compliant with the latest Federal facility security\n         standards.3 The consultant recommended that the IRS ensure that the PSEP automated\n         risk assessment tool includes the most recent Federal facility security standards.\n\n\n\n1\n  60 C.F.R. 54411 (1995).\n2\n  Counter measures include, but are not limited to, security guards, surveillance cameras, and locked entryways.\n3\n  The Interagency Security Committee established policies for security in and protection of Federal facilities. The\nInteragency Security Committee issued interim standards, Physical Security Criteria for Federal Facilities - An\nInteragency Security Committee Standard, dated April 12, 2010, that established a baseline set of physical security\nmeasures to be applied to all Federal facilities based on their designated facility security level.\n                                                                                                             Page 1\n\x0c                   An Independent Risk Assessment of Facility Physical Security\n                   Was Not Performed in Compliance With Contract Requirements\n\n\n\nOn May 20, 2010, IRS management issued an announcement to update IRS employees on safety\nand security initiatives underway as a result of the Austin incident. IRS management advised\nthat they were launching an in-depth security review of IRS facilities across the country to\ndetermine how the agency might improve its current security posture. The announcement\nindicated that the IRS would be looking at a host of issues to see what appropriate steps could be\ntaken to improve overall security.\nIn support of its goal of improving facility security, the IRS initiated the Commissioner\xe2\x80\x99s\nSecurity Readiness Project in March 2010. To obtain an independent perspective on IRS\nsecurity issues, the IRS appointed an executive from the Office of Procurement to lead this\neffort. This project team developed an action plan to identify steps that could be taken to\nimprove overall security following the Austin incident. An important part of the action plan\nincluded conducting in-depth security reviews (risk assessments) of all IRS facilities by\nDecember 31, 2010. The IRS concluded that it did not have the in-house capacity to perform the\nin-depth risk assessments within the six-month time period and obtained the services of a\ncontractor on June 15, 2010.\nThe contract4 required the contractor to:\n    \xef\x82\xb7    Conduct risk assessments at 669 IRS facilities5 nationwide and analyze existing security\n         measures and practices in each facility.\n    \xef\x82\xb7    Provide findings and recommendations on any deficiencies noted, including cost\n         estimates for corrective actions.\n    \xef\x82\xb7    Prepare a report outlining the IRS\xe2\x80\x99s overall security posture.\nA contract modification was executed on December 30, 2010, revising key provisions in the\noriginal contract to include that the contractor develop a report that summarizes recurring\nfindings and systemic failures and make recommendations for corrective actions. The contractor\nwas also asked to evaluate the overall PSEP risk assessment process and provide an opinion on\nthe IRS\xe2\x80\x99s overall compliance with Federal facility security standards based on the contractor\xe2\x80\x99s\npersonal observations.\n\nIRS contract administration roles and responsibilities\nWhen the IRS awards a contract, the acquisition team is responsible for the various aspects of the\ncontract administration. This team consists of program managers, contracting officers, and\n\n4\n  Physical Security Emergency Preparedness Risk Assessment contract (TIRNO-10-C-00041).\n5\n  While the IRS has more than 700 facilities, the IRS indicated that facilities were excluded from the risk assessment\nreview based on whether the facility was under realignment or underwent major changes before March 11, 2010.\nThe contract further noted that the total number and actual site locations were subject to change due to planned\nclosures and new facility openings. Of the 669 sites initially identified in the contract, the IRS indicated that\n631 risk assessments were performed.\n                                                                                                              Page 2\n\x0c                An Independent Risk Assessment of Facility Physical Security\n                Was Not Performed in Compliance With Contract Requirements\n\n\n\ncontracting officer\xe2\x80\x99s technical representatives (COTR). The responsibilities of the acquisition\nteam are as follows:\n   \xef\x82\xb7   Program Manager \xe2\x80\x93 responsible for providing the business justification, certifying that\n       there is a legitimate need for the goods or services requested under the contract, and\n       confirming that sufficient funding is available.\n   \xef\x82\xb7   Contracting Officer \xe2\x80\x93 responsible for safeguarding the Government\xe2\x80\x99s interests, ensuring\n       performance of all necessary actions for effective contract administration, and ensuring\n       contractors are complying with contract terms. The contracting officer provides expertise\n       on the transactional aspects of the contracting process, such as entering into,\n       administering, or terminating contracts. The contracting officer is the only person\n       authorized to issue a contract modification or task order change.\n   \xef\x82\xb7   COTR \xe2\x80\x93 responsible for providing quality assurance to confirm that the contractor has\n       delivered goods and rendered services that conform to contract requirements.\nThis review was performed at the Agency-Wide Shared Services National Headquarters in\nWashington, D.C.; the Office of Procurement in Oxon Hill, Maryland; the Agency-Wide Shared\nServices PSEP offices in Memphis, Tennessee, and Ogden, Utah; and the Department of\nHomeland Security, Office of Procurement, in Washington, D.C., during the period\nSeptember 2011 through March 2012. We also visited the contractor\xe2\x80\x99s office in\nFayetteville, Georgia. We conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objective. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objective. Detailed\ninformation on our audit objective, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n\n                                                                                            Page 3\n\x0c                      An Independent Risk Assessment of Facility Physical Security\n                      Was Not Performed in Compliance With Contract Requirements\n\n\n\n\n                                          Results of Review\n\nOur review determined that the contractor did not perform an in-depth, independent assessment\nregarding the security posture of the IRS\xe2\x80\x99s 669 facilities as required by the contract. In addition,\nthe IRS did not administer the Physical Security\nRisk Assessment contract in compliance with\nacquisition regulations and guidance. IRS                    Independent, in-depth security\nmanagement and PSEP program office employees                reviews   were not performed at all\ndirected the contractor to perform services that          IRS  facilities in compliance with the\n                                                              requirements of the Physical\nwere lesser in scope than required by the original         Security Emergency Preparedness\ncontract. This direction included that the                     Risk Assessment contract.\ncontractor: assist PSEP employees with\nconducting the risk assessments rather than lead\nthe risk assessments, provide observations to PSEP personnel who prepared the facility risk\nassessment reports, and attend only those facility site visits where PSEP personnel requested\nsupport. In addition, the contractor indicated that the PSEP program office did not provide the\ncontractor access to all of the information necessary to complete the report outlining the overall\nIRS security posture.\nAs a result of the IRS\xe2\x80\x99s actions, the IRS did not receive contract deliverables in accordance with\nthe contract\xe2\x80\x99s requirements, and the contractor declined to provide a validation of the\nacceptability of the IRS\xe2\x80\x99s security posture. The noncompliance of contract deliverables could\npotentially impact the IRS\xe2\x80\x99s ability to make informed decisions regarding its physical security\nand the need for additional security enhancements. When contracts are not properly\nadministered, the IRS may not receive the desired contract outcomes and the best return on the\ntaxpayers\xe2\x80\x99 dollar.\n\nAn Independent Assessment of the Adequacy of Facility Security Was\nNot Performed in Compliance With the Contract\nOur review determined that the contractor did not conduct independent facility risk assessments\nin compliance with contract requirements. Instead, the contractor indicated that PSEP employees\nconducted the risk assessments and were often the same PSEP employees assigned the primary\nsecurity duties for the facility under review. Analysis of contractor invoices and IRS\ndocumentation found that the contractor was not involved in the performance of a risk\nassessment at 327 (52 percent) of 631 facilities.6 Even at the IRS sites where the contractor was\n\n\n6\n    Of the 669 sites initially identified in the contract, the IRS indicated that 631 risk assessments were performed.\n                                                                                                                  Page 4\n\x0c                   An Independent Risk Assessment of Facility Physical Security\n                   Was Not Performed in Compliance With Contract Requirements\n\n\n\nasked to participate, the amount of assistance provided by the contractor varied at each location\nbased on what the local PSEP representative requested.\nIn addition, the contractor indicated that the IRS did not provide access to the official risk\nassessment reports for the locations where the contractor\xe2\x80\x99s support was provided. Therefore, the\ncontractor did not have assurance that all significant observations were included in the risk\nassessment reports for the facilities at which the contractor provided support. Figure 1 provides\na summary of the key contract requirements and modifications and whether or not they were met.\n              Figure 1: Contractor Compliance With Contract Requirements\n                       Contractor Requirements                                         Requirement Met\nConduct risk assessments at 669 IRS facilities nationwide and analyze existing   No \xe2\x80\x93 PSEP staff conducted the risk\nsecurity measures and practices in each facility by December 31, 2010.           assessments themselves and\n                                                                                 requested the contractor to provide\n                                                                                 assistance at only 304 sites.\n     Modification: Provide a minimum of one qualified contract security\n     specialist when requested to assist in the completion of site risk                          Yes\n     assessments at up to 669 IRS facilities by December 31, 2010.\nProvide risk assessment reports which include findings and recommendations       No \xe2\x80\x93 PSEP staff prepared the risk\non any deficiencies noted during the risk assessments.                           assessment reports themselves,\n                                                                                 with the contractor providing\n                                                                                 observations only when requested.\n    Modification: Provide individual findings and recommendations, verbal\n    or written, relating to the individual risk assessments for each facility                    Yes\n    where assistance was provided as requested.\nPrepare a report outlining the overall IRS security posture.                     No \xe2\x80\x93 The contractor did not\n                                                                                 provide support at 327 (52 percent)\n                                                                                 of the 631sites where risk\n                                                                                 assessments were completed. For\n                                                                                 the sites where only PSEP\n                                                                                 personnel conducted the risk\n                                                                                 assessment, the IRS provided\n                                                                                 copies of risk assessment reports\n                                                                                 for the contractor\xe2\x80\x99s review. Since\n                                                                                 the contractor was not physically\n                                                                                 present for these risk assessments\n                                                                                 and had concerns about the\n                                                                                 adequacy of the IRS risk\n                                                                                 assessment process, the contractor\n                                                                                 elected not to place reliance on the\n                                                                                 results. Consequently, the\n                                                                                 contractor did not provide\n                                                                                 validation of the acceptability of\n                                                                                 the IRS\xe2\x80\x99s overall security posture.\n\n\n\n\n                                                                                                            Page 5\n\x0c                    An Independent Risk Assessment of Facility Physical Security\n                    Was Not Performed in Compliance With Contract Requirements\n\n\n\n                       Contractor Requirements                                          Requirement Met\n    Modification: Provide an executive summary describing the IRS\xe2\x80\x99s            No \xe2\x80\x93 The contractor indicated that\n    overall compliance with Federal facility security standards based on sites the IRS did not provide the\n    visited by the contractor.                                                 contractor access to the official\n                                                                               risk assessment reports for the\n                                                                               locations where the contractor\xe2\x80\x99s\n                                                                               support was provided. Therefore,\n                                                                               the contractor did not have\n                                                                               assurance that all significant\n                                                                               observations were included in the\n                                                                               official risk assessment reports.\nIn addition to those requirements previously listed, the following reporting requirements were added during\nthe modification of the contract\xe2\x80\x99s requirements:\nProvide an evaluation of the PSEP overall risk assessment process and                           Yes\nrecommendations for process improvements based on actual sites visited.\nProvide a report that summarizes recurring findings, identifies systematic     No \xe2\x80\x93 The contractor did not\nfailures, and makes recommended corrective actions.                            provide support for all\n                                                                               631 completed risk assessments\n                                                                               and indicated that it did not have\n                                                                               access to the official reports for the\n                                                                               risk assessments where support\n                                                                               was provided.\nProvide recommendations on the future use of contractor support for the risk                  Yes\nassessment process to include lessons learned during the contract\xe2\x80\x99s\nperformance period.\nProvide draft report to the COTR.7                                                            Yes\nProvide final report to the COTR.                                                             Yes\nSource: The Treasury Inspector General for Tax Administration\xe2\x80\x99s review of the contract Performance Work\nStatement issued June 15, 2010, and modified December 30, 2010.\n\nBeginning as early as June 18, 2010, IRS management and PSEP program office employees\ninstructed the contractor to perform services that were lesser in scope than stated in the original\ncontract. The contractor is responsible for notifying the contracting officer of any changes in\nwork scope. We identified no written notifications to the contracting officer prior to the\ncontractor providing the reduced services. However, the contractor did provide IRS management\nand an Office of Procurement official with both written and verbal notifications of a significant\nchange in work scope. For example, in a written notification, dated July 12, 2010, the contractor\nstated:\n\n\n7\n  The Performance Work Statement modified on December 30, 2010, stated that the contractor was to submit a draft\nand final report; however, the original contract Performance Work Statement did not indicate the specific\ninformation to be included in these reports. The contractor\xe2\x80\x99s draft and final reports included: an evaluation of the\nPSEP overall risk assessment process and recommendations for process improvements, recommendations on future\nuse of contractor support for the risk assessment process, and lessons learned during the contract\xe2\x80\x99s performance\nperiod.\n                                                                                                            Page 6\n\x0c                      An Independent Risk Assessment of Facility Physical Security\n                      Was Not Performed in Compliance With Contract Requirements\n\n\n\n           In light of the meeting today and the significant change in the scope of work, I\n           think we should meet tomorrow to go over all of the changes to ensure we are all\n           clear on the work to be performed and the expected results/deliverables.\nThe contractor advised us that IRS management provided verbal assurances that a contract\nmodification would be put in place. However, this modification was not executed until\nDecember 30, 2010, after the completion of the facility risk assessments. Additionally, our\nreview of the contract file identified a December 17, 2010, memorandum written by the\ncontracting officer indicating that the change in the contractor\xe2\x80\x99s role and work scope had been\ninformally put into effect at the request of the PSEP program office. The memorandum further\nstates that the basis for the change in the contractor\xe2\x80\x99s role and work scope was that the IRS did\nnot want the contractor to have knowledge of any security flaws that might potentially exist at\nIRS facilities. The memorandum also notes that the PSEP program office had not made the\ncontracting officer aware of the change it had directed the contractor to make. In fact, based on\nthe memorandum, the matter did not come to the contracting officer\xe2\x80\x99s attention until she learned\nof it during an interview with Treasury Inspector General for Tax Administration auditors in\nNovember 2010. Below are excerpts from the December 17, 2010, memorandum:\n           It should be noted that the contracting officer and the COTR believed the\n           contractor to be performing in accordance with the requirements in the contract.\n           When it was brought to our attention that this might not necessarily be the case\n           (that, in fact, the contractor was performing some risk assessments reviews\n           behind the PSEP program office personnel, and not independently conducting the\n           security assessments themselves), this was discussed with the IRS program\n           manager(s). However, inasmuch as this \xe2\x80\x98technical direction\xe2\x80\x99 was done without\n           the knowledge or concurrence of either the COTR or the contracting officer, the\n           contracting officer has since attempted to ensure that: (1) the contract now\n           reflects the work actually performed, and (2) the contractor is paid only for work\n           performed.\n           The contracting officer and the COTR have been in communication with each\n           other and have realized that changes to the contract requirements were made by\n           individuals in positions well above themselves without including the contracting\n           officer and COTR in these decisions. The contracting officer questioned how this\n           could have happened and was told by the COTR that the PSEP Office didn\xe2\x80\x99t want\n           an individual or contractor to be privy to all of the possible flaws within the\n           various IRS locations.\nThe Federal Acquisition Regulation (FAR)8 requires, when possible, that a contract modification\nbe executed before the work scope changes are implemented. This protects the Government\xe2\x80\x99s\n\n\n8\n    48 C.F.R. ch. 1 (2009).\n                                                                                                Page 7\n\x0c                 An Independent Risk Assessment of Facility Physical Security\n                 Was Not Performed in Compliance With Contract Requirements\n\n\n\ninterest relating to the overall cost of the contract and allows the contracting officer to direct the\nperformance of the contract work.\nIRS management informed us that numerous discussions were held after the physical security\nrisk assessment contract was awarded regarding a change in the contractor\xe2\x80\x99s role and a reduction\nin work scope. However, the IRS advised us that the content of the discussions and key\ndecisions made at these meetings were not documented. Our discussions with IRS management\nfound that the IRS did not consider taking any alternative actions to protect the Government\xe2\x80\x99s\ninterests, such as terminating the contract once they decided not to have the contractor\nindependently conduct the facility risk assessments. The IRS indicated that while the PSEP\nsecurity specialists were capable of conducting the risk assessments without contractor support,\nthe IRS wanted the contractor\xe2\x80\x99s involvement to add additional perspective and credibility to its\nassessments. This explanation contradicted the justification in the contract acquisition plan\nwhich indicated that the IRS did not have the in-house capacity to perform the risk assessments\nwithin the six-month time period required for completion.\n\nThe contractor\xe2\x80\x99s final report raises concerns regarding PSEP personnel\xe2\x80\x99s\nperformance of risk assessments\nThe contractor\xe2\x80\x99s final report deliverable was comprised of lessons learned from the current PSEP\nrisk assessment process, and a number of issues were identified for IRS consideration. One\nconcern the contractor noted involved the independence of PSEP employees leading the risk\nassessments. Often the PSEP employees conducting the risk assessments were the same\nemployees assigned the primary security duties for the facility under review. The contractor\nsuggested that the IRS select risk assessment team personnel from a different geographical area\nif using IRS personnel to conduct future risk assessments. The use of personnel from another\nFederal agency or a private contractor was also recommended as another alternative to the\ncurrent practice.\nOther significant concerns the contractor raised in the report included:\n   \xef\x82\xb7   PSEP employees lacked training on the new Federal physical security standards and some\n       lacked experience in the performance of facility risk assessments.\n   \xef\x82\xb7   The software used to guide and document the risk assessment process did not incorporate\n       the new Federal facility security standards, and the cost estimator portion was outdated\n       and inaccurate.\nIt should be noted that the contractor raised additional issues of concerns in its draft version of\nthe report. However, the contractor was directed to remove those statements because the IRS did\nnot want these issues presented in the final report. The IRS also requested specific examples\nfrom the contractor in order to respond to the concerns raised, including the concern that not all\nidentified deficiencies were documented by PSEP personnel in the resulting reports, either out of\n\n\n                                                                                                Page 8\n\x0c                   An Independent Risk Assessment of Facility Physical Security\n                   Was Not Performed in Compliance With Contract Requirements\n\n\n\npolitical expediency or due to concerns that the findings would lead to additional workload for\nsecurity personnel.\nThe IRS\xe2\x80\x99s rebuttal to the concerns raised in the final report indicated that it would consider the\nsuggestion to select risk assessment team personnel from a different geographical area in future\nassessments. However, the IRS indicated that physical security specialists are required to attend\ntraining. The IRS also indicated that it believed the software was up-to-date with new Federal\nfacility security standards, and the cost estimator in the software uses an industry-accepted\nstandard.\nBased on the concerns raised during this review relating to potential physical security\ndeficiencies that the IRS identified, but that may not have documented in the risk assessments,\nwe are initiating a separate review to assess the adequacy of the physical security assessments\nconducted at IRS facilities.9\n\nSignificant Deficiencies Were Identified in the Administration of the\nPhysical Security Risk Assessment Contract\nOur review determined that the IRS did not administer the Physical Security Risk Assessment\ncontract in accordance with relevant FAR provisions, Department of the Treasury regulations,\nand IRS policies and procedures. Figure 2 provides a summary of our evaluation of the key\ncontract administration requirements relevant to the contract and whether the requirement was\nmet.\n                Figure 2: Key IRS Contract Administration Responsibilities\n                                 Relevant to the Contract\n                                                                                             Responsibility\n                         Contract Administration Requirements                                    Met\n\n       Appoint a COTR by issuing a signed Letter of Appointment10 tailored to meet                  Yes\n       the needs of each contract.\n       Ensure that all security requirements of the contractor are met, including                   Yes\n       obtaining security background investigations for all required contractor\n       personnel.\n       Monitor the contractor\xe2\x80\x99s performance to assure that the contractor has delivered             No\n       supplies and services that conform to contract requirements.\n       Review contractor invoices and supporting documentation to ensure labor rates                No\n       are consistent with the terms and conditions of the contract, and whether billed\n       travel costs are supported by appropriate documentation.\n\n\n9\n  Physical Security and Emergency Preparedness Risk Assessment Process (Audit # 201210007).\n10\n   A Letter of Appointment is issued by the contracting officer detailing the roles and responsibilities of the COTR\nin regard to the contract.\n                                                                                                              Page 9\n\x0c                   An Independent Risk Assessment of Facility Physical Security\n                   Was Not Performed in Compliance With Contract Requirements\n\n\n\n                                                                                        Responsibility\n                         Contract Administration Requirements                               Met\n\n        Review hours worked by contractor employees and verify contractor                         No\n        qualifications and experience levels for individual contractor employees.\n        Ensure that employees (other than the contracting officer) are prohibited from            No\n        providing technical direction to the contractor that may change the terms and\n        conditions of the contract.\n        Ensure that changes in the delivery of goods or services and the resulting effects        No\n        on the delivery schedule are formally made by written modification issued by the\n        contracting officer before the contractor proceeds with the change.\n       Source: The Treasury Inspector General for Tax Administration\xe2\x80\x99s review of FAR provisions, Department\n       of the Treasury regulations, IRS Acquisition guidance, and the COTR Letter of Appointment.\n\nIn addition, we found that PSEP program office employees acted beyond their authority when\ndirecting the contractor to perform a variety of tasks at the 304 facilities the contractor visited.\nThese tasks were in direct contradiction to the terms and conditions of the contract. For\nexample:\n   \xef\x82\xb7     The PSEP Risk Assessment Project Manager instructed the contractor to only assist or\n         support the PSEP physical security specialists, rather than lead the assessments.\n   \xef\x82\xb7     The PSEP Risk Assessment Project Manager instructed the contractor to attend site visits\n         only at selected facilities. In contrast, the contract required the contractor to conduct risk\n         assessments at 669 IRS facilities, subject to change due to planned office closures and\n         new openings.\nThe FAR states that in the event the contractor makes any changes at the direction of any person\nother than the contracting officer, the change will be considered to have been made without\nauthority. Our review identified that the role and scope of work performed by the contractor was\nreduced based on the verbal direction of IRS management. This change was not at the direction\nof the contracting officer, as required.\n\nThe contract was not timely modified\nAlthough IRS management changed the role and responsibilities of the contractor by directing a\nreduction in services shortly after the contract was awarded, the contract was not modified until\nsix months after the contractor began. Specifically, the contract modification was not executed\nuntil after all of the risk assessments of IRS facilities were performed.\nA contracting officer relies upon the COTR and the contractor to advise him or her of any\nchange in the contract requirements (scope of work). One of the duties included in the COTR\nLetter of Appointment is to assure that changes in work or services are included in the contract\nthrough a written modification issued by the contracting officer. This modification should be\nprepared before the contractor implements the changes. Figure 3 shows a timeline of significant\n\n                                                                                                      Page 10\n\x0c                    An Independent Risk Assessment of Facility Physical Security\n                    Was Not Performed in Compliance With Contract Requirements\n\n\n\nevents based on our review of the contract file, e-mails, and discussions with the IRS and the\ncontractor. The timeline provides examples of the numerous opportunities PSEP personnel had\nto inform the contracting officer, as required, of the changes that had been informally\nimplemented.\n                  Figure 3: Timeline of Events During Contract Performance\n\n         Date                                                   Event\n June 15, 2010          Contract awarded.\n                        The Commissioner\xe2\x80\x99s Security Readiness Project leadership advised the PSEP Risk\n                        Assessment Project Manager of a change in the role of the contractor.\n June 18, 2010\n                        The COTR advised the PSEP Risk Assessment Project Manager of delays in the\n                        contractor security clearance process.\n                        Due to the delays in completing the contractor background investigations, the PSEP\n                        Risk Assessment Project Manager advised PSEP management that PSEP staff would\n June 22, 2010          begin to conduct the planned risk assessments and indicated that contractor employees\n                        would take over performance of the risk assessments once they received their security\n                        clearance.\n                        The COTR was included in distribution of an e-mail that discussed the contractor work\n June 25, 2010          scope change. The contracting officer indicated that the changes to the scope of work\n                        were not communicated at this time.\n July 1, 2010           The first two contractor employees received their security clearance.\n                        The contractor attempts to conduct the first three risk assessments as scheduled.\n                        However, IRS employees advised the contractor that they would not be given access to\n July 7-9, 2010\n                        the facilities without IRS escorts. In one instance, the PSEP program employee advised\n                        the contractor that the IRS had already completed the risk assessment.\n                        During another risk assessment, the contractor indicated that a PSEP program employee\n                        advised the contractor that the IRS had already completed the risk assessment.\n July 12, 2010          The contractor notifies IRS management of the direction he received on the change in\n                        work scope, including an executive from the Office of Procurement. The contracting\n                        officer indicated that the changes to the scope of work were not communicated to her at\n                        this time.\n                        Commissioner\xe2\x80\x99s Security Readiness Project personnel advised the contractor that PSEP\n July 14, 2010          program employees would be leading the risk assessments and that the contractor\n                        would be providing assistance as needed.\n                        The contract specialist (assists the contracting officer) contacted the IRS Project\n                        Manager for a status update on the contract performance. The PSEP Risk Assessment\n August 4, 2010\n                        Project Manager\xe2\x80\x99s e-mail did not advise the contract specialist of the changes to the\n                        scope of work.\n\n\n\n\n                                                                                                        Page 11\n\x0c                   An Independent Risk Assessment of Facility Physical Security\n                   Was Not Performed in Compliance With Contract Requirements\n\n\n\n\n         Date                                                    Event\n                         The COTR advised the contract specialist that the funds needed for the contract had\n                         been reduced based on the progress of risk assessments completed. The contracting\n  September 8-16, 2010 officer signed contract modification number one to remove approximately $800,000 for\n                         labor hours no longer needed over the term of the contract.11 The contracting officer\n                         indicated that the changes to the scope of work were not communicated at this time.\n                         The contracting officer was advised of the risk assessment contract\xe2\x80\x99s change in\n  November 1, 2010       contractor role and work scope during an interview with the Treasury Inspector General\n                         for Tax Administration.\n                         Contract modification number two was issued to change the responsible contracting\n                         officer. The contract specialist was assigned as the responsible contracting officer. The\n  November 5, 2010       contracting officer indicated that the contract specialist had received the contracting\n                         officer\xe2\x80\x99s warrant12 and could now be assigned to serve as the responsible contracting\n                         officer.\n                         The contractor returns IRS-issued laptops, ending the contractor\xe2\x80\x99s participation and\n  December 15, 2010\n                         assistance in the risk assessments.\n                         The contracting officer signed contract modification number three changing the\n  December 30, 2010\n                         requirements of the contract to mirror the reduced scope of work.\n  February 28, 2011      Final contractor report deliverable provided to the IRS.\n                         Over the life of the contract, the contractor received approximately $1.2 million, with\n  June 28, 2011\n                         the remaining $1.3 million in contract funds deobligated.\nSource: The Treasury Inspector General for Tax Administration\xe2\x80\x99s review of the contract file, various e-mails from\nthe IRS and the contractor, and discussions with the IRS and the contractor.\n\nIn our interviews with the IRS, we inquired as to why PSEP personnel did not timely contact the\ncontracting officer to execute a contract modification. Individuals we interviewed were in\npositions in which they had a responsibility to inform the contracting officer that significant\ndeviations were being made in the scope of the work being performed by the contractor. For\nexample:\n     \xef\x82\xb7   The PSEP Risk Assessment Project Manager indicated that the IRS should have\n         considered issuing a contract modification to document the contractor\xe2\x80\x99s reduced work\n         scope and deliverables when the changes were implemented in July 2010. However, the\n         work to conduct the risk assessments before the December 31, 2010, deadline progressed\n         at a fast pace and the modification \xe2\x80\x9cfell through the cracks.\xe2\x80\x9d\n     \xef\x82\xb7   The COTR indicated that there was a conscious decision to delay issuing the contract\n         modification to document the new work scope changes because the IRS was not sure of\n         what tasks it wanted the contractor to perform and the contractor\xe2\x80\x99s decreased tasks\n         reduced the contract\xe2\x80\x99s cost.\n\n11\n  The amount of the original contract was $3.3 million.\n12\n  Under FAR provisions, contracting officers must be appointed in writing on Standard Form 1402, Certificate of\nAppointment. This Certificate of Appointment is commonly referred to as a \xe2\x80\x9cwarrant.\xe2\x80\x9d\n                                                                                                          Page 12\n\x0c                   An Independent Risk Assessment of Facility Physical Security\n                   Was Not Performed in Compliance With Contract Requirements\n\n\n\nThe absence of a timely executed modification left the COTR and the contractor without\nguidance on how to properly direct the performance of this contract. We believe that the IRS\ninefficiently spent approximately $1.2 million as a result of IRS management\xe2\x80\x99s actions. The\ncontractor was unable to provide key aspects of the contract\xe2\x80\x99s requirements, including assurance\nthat all significant observations were identified and reported in the subject risk assessments and a\nvalidation of the acceptability of the IRS\xe2\x80\x99s security posture.\n\nThe COTR did not ensure invoice documentation was obtained in support of\npayments made to the contractor\nOur review of all eight invoices totaling approximately $1.2 million submitted for payment under\nthe contract identified that the COTR did not obtain and/or maintain sufficient documentation to\nsupport more than $1 million of the total amount approved for payment. Figure 4 summarizes\nour review of the supporting invoice documentation maintained by the IRS.\n                             Figure 4: IRS Contractor Invoice Review\n                                                                      Amount         Percentage\n                                        Amount        Amount            Not             Not\n                   Invoice item         Claimed      Supported       Supported       Supported\n\n           Labor                         $935,463             $0        $935,463        100%\n           Travel Expenses               $301,175      $190,380         $110,795         37%\n           Total                      $1,236,638       $190,380        $1,046,258        85%\n          Source: The Treasury Inspector General for Tax Administration\xe2\x80\x99s review of IRS\n          supporting documentation maintained for eight invoices submitted for payment under the\n          contract.\n\nThe COTR duties include reviewing contractor vouchers and invoices to ensure they accurately\nreflect the services delivered in conformance with the requirements of the contract. However,\nour review found that the COTR relied on program office employees to determine whether the\ncontractor\xe2\x80\x99s billed labor hours for each of the 304 site visits were reasonable based on the\nrequirements of the contract and did not obtain any supporting documentation from the\ncontractor, e.g., approved timesheets, to ensure the accuracy of the labor hours claimed.\nIn addition, we identified additional deficiencies relating to the administration of this contract,\nincluding:\n   \xef\x82\xb7   The COTR did not review and maintain resumes for five of the 17 contractor employees\n       to verify that the skills and qualifications of the employees were in line with the labor rate\n       category specified in the contract. IRS policy requires that when the contract contains\n       specific qualifications or experience levels for individual contract employees, the labor\n       check should also include a verification of those qualifications.\n\n\n                                                                                                   Page 13\n\x0c                   An Independent Risk Assessment of Facility Physical Security\n                   Was Not Performed in Compliance With Contract Requirements\n\n\n\n     \xef\x82\xb7   Documentation supporting contractor-billed travel expenses were not always obtained or\n         maintained in the contract file. The contractor billed travel expenses for 215 separate\n         trips. The IRS did not obtain or maintain any supporting documentation for 67 trips\n         totaling $108,319 in contractor travel expenses. The IRS also did not verify the amount\n         claimed on 19 of these trips, resulting in a net overpayment of $2,475. The errors we\n         identified included instances where expenses were not supported with documentation,\n         where expenses were in excess of General Services Administration per diem rates\n         (e.g., hotels with rates that exceeded General Services Administration per diem rates),\n         and where support was provided but the charges were not included on the invoice by the\n         contractor.\n     \xef\x82\xb7   The COTR did not request or receive any monthly written status or progress reports from\n         the contractor, as required by the original contract and the contract\xe2\x80\x99s quality assurance\n         plan.13\nThe COTR indicated that it was difficult to monitor the contractor\xe2\x80\x99s performance because the\ncontractor employees could not be observed as they were in a different geographic location, and\nbecause the PSEP Physical Security Specialist assigned to each facility decided how much and\nthe kind of assistance they needed at each site. Although the COTR stated that all travel\nexpenses were reviewed prior to recommending payment approval for the invoiced expenses,\nnone of the invoices contained evidence of review, such as the date of the review or the COTR\xe2\x80\x99s\nsignature or initials. Our review found that this occurred because the responsible COTR failed to\ncomplete specific responsibilities as detailed in the COTR Letter of Appointment.\n\nRecommendations\nThe Deputy Commissioner for Operations Support should:\nRecommendation 1: Reemphasize to IRS management officials, program office employees,\nand the COTRs that contracting officers must be promptly notified of any changes to contract\nrequirements so required modifications can be timely executed.\n         Management\xe2\x80\x99s Response: IRS management agreed with our recommendation and\n         will issue a memorandum to IRS management officials and the COTRs reemphasizing\n         that contracting officers must be promptly notified of any changes to contract\n         requirements so required modifications can be timely executed.\n\n\n\n\n13\n  Quality assurance is the action taken by the Government to assure that the contractor has delivered supplies or\nrendered services that conform to contract requirements. Quality assurance is conducted after supplies are received\nor services rendered and before acceptance is certified in the IRS\xe2\x80\x99s Web Requisition Tracking System.\n                                                                                                           Page 14\n\x0c                An Independent Risk Assessment of Facility Physical Security\n                Was Not Performed in Compliance With Contract Requirements\n\n\n\nRecommendation 2: Ensure that the COTRs are administering contracts in accordance with\nrelevant FAR provisions, Department of the Treasury regulations, and IRS policies and\nprocedures, and perform their specific responsibilities as detailed in the COTR Letter of\nAppointment. This includes ensuring that the COTRs advise contracting officers when changes\nin the work or services occur, review contractor vouchers and invoices to ensure they are\naccurate, determine whether services are delivered in conformance with the requirements of the\ncontract, and follow the contract\xe2\x80\x99s quality assurance plan.\n       Management\xe2\x80\x99s Response: IRS management agreed with our recommendation and\n       will issue a memorandum to PSEP COTRs outlining their roles and responsibilities. In\n       addition, this memorandum will contain specific guidance on advising the contracting\n       officer when changes in the work occur, reviewing contractor vouchers and invoices to\n       ensure they are accurate and supported with appropriate documentation, determining\n       whether services are delivered in conformance with the requirements of the contract, and\n       following the contract\xe2\x80\x99s quality assurance plan.\n\n\n\n\n                                                                                        Page 15\n\x0c                      An Independent Risk Assessment of Facility Physical Security\n                      Was Not Performed in Compliance With Contract Requirements\n\n\n\n                                                                                      Appendix I\n\n            Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS administered the Physical\nSecurity Risk Assessment contract1 in compliance with applicable Federal, Department of the\nTreasury, and IRS acquisition regulations and guidance to ensure the IRS received the contract\ndeliverables in accordance with the terms and conditions of the contract. To accomplish our\nobjective, we:\nI.         Reviewed the FAR2 provisions, Department of the Treasury regulations, and IRS\n           acquisition guidance to identify contract administration requirements.\n           A. Reviewed the guidance to identify all requirements, including roles and\n              responsibilities of procurement and program office staff related to the administration\n              of contracts.\n           B. Interviewed key IRS personnel, including the contracting officer, contract specialist,\n              the COTR, and PSEP program manager, and reviewed the PSEP Risk Assessment\n              contract file to determine the technical requirements and contract administrative\n              duties performed during the administration of the contract.\nII.        Determined whether key IRS personnel, including the contracting officer, contract\n           specialist, the COTR, and PSEP program manager performed their contract\n           administration duties in accordance with regulations and guidance. This included:\n           A. Whether contract modifications were properly and timely issued by the contracting\n              officer.\n           B. Whether the COTR was formally delegated authority and trained before performing\n              COTR responsibilities.\n           C. Whether the COTR performed the specific duties related to the contract that were\n              outlined and agreed to in the COTR\xe2\x80\x99s Letter of Appointment.\n           D. Whether the IRS obtained security clearances for the contractor\xe2\x80\x99s employees within\n              required time periods.\n           E. Obtained and reviewed supporting documents related to the first contract\n              modification to evaluate how the IRS calculated the $800,000 reduction in contract\n              value from $3.3 million to $2.5 million.\n\n1\n    TIRNO-10-C-00041.\n2\n    48 C.F.R., Ch. 1, (2009).\n                                                                                             Page 16\n\x0c                   An Independent Risk Assessment of Facility Physical Security\n                   Was Not Performed in Compliance With Contract Requirements\n\n\n\nIII.    Determined whether the IRS received the deliverables in accordance with the terms and\n        conditions of the contract.\n        A. Reviewed the Performance Work Statement from both the original contract and the\n           modification issued on December 30, 2010, to obtain an understanding of the\n           technical requirements of the contract.\n        B. Interviewed key IRS officials to determine whether the contractor performed any\n           duties different than those outlined in the Performance Work Statement from both the\n           original contract and the modification issued on December 30, 2010.\n        C. Interviewed key contractor personnel to determine whether the contractor was\n           provided direction to deviate from the performance requirements detailed in the\n           Performance Work Statements from both the original contract and the modification\n           issued on December 30, 2010, and obtained supporting records and documentation to\n           substantiate the information provided during the interviews, when available.\n        D. Determined whether IRS program office personnel acted within the scope of their\n           authority when providing direction to the contractor by determining whether program\n           office personnel were aware that their actions were not in accordance with their\n           authority and what actions, if any, were taken to address the unauthorized direction to\n           the contractor.\n        E. Obtained and reviewed all deliverables provided by the contractor to the IRS to\n           determine whether they complied with the contract\xe2\x80\x99s technical requirements as\n           outlined in the Performance Work Statement in both the original contract and the\n           contract modification issued on December 30, 2010.\n        F. Determined whether the IRS considered any alternative actions to protect the\n           Government\xe2\x80\x99s interests (resources), such as requesting the contractor to complete or\n           re-perform tasks at no additional cost, decreasing task values and related contract\n           costs, withholding payment, or terminating the contract.\n        G. Determined whether the IRS performed quality assurance3 to ensure that deliverables\n           and services provided by the contractor conformed to contract requirements.\n             1. Reviewed the contract\xe2\x80\x99s quality assurance plan, the COTR Letter of Appointment,\n                and IRS acquisition regulations and guidance to identify all requirements,\n                including the roles and responsibilities of the contracting officer and the COTR,\n                related to performing quality assurance per invoices and deliverables.\n\n\n3\n  Quality assurance is the action taken by the Government to assure that the contractor has delivered supplies or\nrendered services that conform to contract requirements. Quality assurance is conducted after supplies are received\nor services rendered and before acceptance is certified in the IRS\xe2\x80\x99s Web Requisition Tracking System.\n                                                                                                           Page 17\n\x0c                An Independent Risk Assessment of Facility Physical Security\n                Was Not Performed in Compliance With Contract Requirements\n\n\n\n           2. Reviewed all invoices and deliverables related to the contract and verified\n              whether items include evidence of IRS inspection, such as inspection dates, a\n              description of the services rendered for inspection, the outcome of the inspection,\n              and signature of the COTR.\n           3. Reviewed all invoices and contract files and determined whether the IRS\n              performed a labor-hour check, which is evidenced through documentation such as\n              the date and time the check was performed, the name of the employee, the\n              employee\xe2\x80\x99s labor category, a description of the work being performed, and the\n              employee\xe2\x80\x99s qualifications.\n           4. Reviewed all invoices and supporting documentation and determined whether\n              labor rates and categories were consistent with the terms and conditions of the\n              contract and whether travel costs billed were supported by documentation\n              consistent with the General Services Administration rates and related to the\n              performance of the contract.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: FAR provisions, Department of the\nTreasury regulations, and IRS policies and procedures. We evaluated these controls by\ninterviewing IRS management and program office personnel, contracting officers, the COTR,\nand contractor personnel, and reviewing applicable documentation.\n\n\n\n\n                                                                                          Page 18\n\x0c               An Independent Risk Assessment of Facility Physical Security\n               Was Not Performed in Compliance With Contract Requirements\n\n\n\n                                                                           Appendix II\n\n                Major Contributors to This Report\n\nNancy A. Nakamura, Assistant Inspector General for Audit (Management Services and Exempt\nOrganizations)\nRussell P. Martin, Acting Assistant Inspector General for Audit (Management Services and\nExempt Organizations)\nAlicia Mrozowski, Director\nDarryl Roth, Audit Manager\nMichele Strong, Lead Auditor\nYasmin Ryan, Senior Auditor\nHeather Hill, Senior Evaluator\nLauren Bourg, Auditor\n\n\n\n\n                                                                                  Page 19\n\x0c              An Independent Risk Assessment of Facility Physical Security\n              Was Not Performed in Compliance With Contract Requirements\n\n\n\n                                                                          Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nChief, Agency-Wide Shared Services OS:A\nDirector, Physical Security and Emergency Preparedness OS:A:PSEP\nDirector, Procurement OS:A:P\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief, Agency-Wide Shared Services OS:A\n       Director, Physical Security and Emergency Preparedness OS:A:PSEP\n       Director, Procurement OS:A:P\n\n\n\n\n                                                                                Page 20\n\x0c                   An Independent Risk Assessment of Facility Physical Security\n                   Was Not Performed in Compliance With Contract Requirements\n\n\n\n                                                                                                 Appendix IV\n\n                                       Outcome Measure\n\nThis appendix presents detailed information on the measurable impact that our recommended\ncorrective actions will have on tax administration. This benefit will be incorporated into our\nSemiannual Report to Congress.\n\nType and Value of Outcome Measure:\n\xef\x82\xb7   Inefficient Use of Resources \xe2\x80\x93 Potential; $1,236,638 (see page 9).\n\nMethodology Used to Measure the Reported Benefit:\nIn June 2010, the IRS awarded a contract to conduct risk assessments at all 669 IRS facilities1\nnationwide. The contract required the contractor to analyze existing security measures and\npractices in each facility; provide findings and recommendations on any deficiencies noted,\nincluding cost estimates for corrective actions; and prepare a report outlining the overall IRS\nsecurity posture. IRS management and PSEP program office employees directed the contractor\nto perform services that were lesser in scope than required by the original contract. This\ndirection included that the contractor assist PSEP employees with conducting the risk\nassessments rather than lead the risk assessments, provide observations to PSEP personnel who\nprepared the final risk assessment reports, and attend only those facility site visits where PSEP\npersonnel requested support. In addition, the contractor indicated that the PSEP program office\ndid not provide the contractor access to all of the information necessary to complete the report\noutlining the overall IRS security posture. As a result of its actions, the IRS did not receive\ncontract deliverables in accordance with the contract\xe2\x80\x99s requirements.\nIRS management informed us that numerous discussions were held after the contract was\nawarded regarding a change in the contractor\xe2\x80\x99s role and a reduction in work scope. In addition,\nthe IRS indicated that, while the PSEP security specialists were capable of conducting the risk\nassessments without contractor support, the IRS wanted the contractor\xe2\x80\x99s involvement to add\nadditional perspective and credibility to its risk assessments. This explanation was in complete\ncontrast to the justification in the contract acquisition plan that indicated the IRS did not have the\nin-house capacity to perform the risk assessments within the six-month period required for their\n\n\n1\n  While the IRS has more than 700 facilities, the IRS indicated that facilities were excluded from the review based\non whether the facility was under realignment or underwent major changes before March 11, 2010. The contract\nfurther noted that the total number and actual site locations were subject to change due to planned closures and new\nfacility openings. Of the 669 sites initially identified in the contract, the IRS indicated that 631 risk assessments\nwere ultimately performed.\n                                                                                                            Page 21\n\x0c                An Independent Risk Assessment of Facility Physical Security\n                Was Not Performed in Compliance With Contract Requirements\n\n\n\ncompletion. The absence of a timely executed modification left the COTR and the contractor\nwithout guidance on how to properly direct the performance of this contract. We believe that the\nIRS inefficiently spent $1,236,638 because the contractor was unable to provide key aspects of\nthe contract\xe2\x80\x99s deliverables, including assurance that all significant observations were identified\nand reported in the subject risk assessment reports, and validation of the acceptability of the\nIRS\xe2\x80\x99s security posture. We used the total amount spent on this contract, $1,236,638, as the\nmeasure of the inefficient use of resources.\n\n\n\n\n                                                                                          Page 22\n\x0c An Independent Risk Assessment of Facility Physical Security\n Was Not Performed in Compliance With Contract Requirements\n\n\n\n                                                  Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                        Page 23\n\x0cAn Independent Risk Assessment of Facility Physical Security\nWas Not Performed in Compliance With Contract Requirements\n\n\n\n\n                                                       Page 24\n\x0cAn Independent Risk Assessment of Facility Physical Security\nWas Not Performed in Compliance With Contract Requirements\n\n\n\n\n                                                       Page 25\n\x0c"